WebTrust Seal

Obtaining the WebTrust Seal

To obtain the WebTrust seal of assurance, the CA must meet all the WebTrust for Certification Authorities principles as measured by the WebTrust for Certification Authorities criteria associated with each of these principles. In addition, the entity must engage a practitioner to provide the WebTrust service, and obtain an unqualified report from such practitioner.

Keeping the WebTrust Seal

Once the seal is obtained, the CA will be able to continue displaying it on its Web site provided the following are performed:

The CA’s WebTrust practitioner updates his or her assurance examination of the assertion on a regular basis. The CA must continue to obtain an unqualified report from such practitioner. The interval between such updates will depend on matters such as the following:

The nature and complexity of the CA’s operations

The frequency of significant changes to the CA’s operations

The relative effectiveness of the entity’s monitoring and change-management controls for ensuring continued conformity with the applicable WebTrust for Certification Authorities criteria as such changes are made

The practitioner’s professional judgment

For example, an update may be required more frequently for a CA that is expanding operations, changing extensively and rapidly, or issuing high-assurance certificates that are used for very sensitive transmissions or high-value transactions, as compared to a CA that issues few certificates and has a relatively stable operation. In no event should the interval between updates exceed 12 months; this interval often may be shorter. For example, in the situation of a start-up CA or CA function, it may be more appropriate that the initial examination period be established at 3 months, with the next review being performed 6 months after the WebTrust seal for CAs is awarded, thereafter moving to a 12-month review cycle. To provide continuous coverage and retain the seal, the period covered for update reports should begin with either the end of the prior period or the start of the period in the initial report.

During the period between updates, the CA undertakes to inform the practitioner of any significant changes in its business policies, practices, processes, and controls, particularly if such changes might affect the CA’s ability to continue meeting the WebTrust Principles and Criteria for Certification Authorities, or the manner in which they are met. Such changes may trigger the need for an assurance update or, in some cases, removal of the seal until an update examination by the practitioner can be made. If the practitioner becomes aware of such a change in circumstances, he or she determines whether the seal needs to be removed until an update examination is completed and the updated auditor’s report is issued.